Skip to content

Instantly share code, notes, and snippets.

@anthonygtellez

anthonygtellez/fix_broTA_for_gz.md

Created August 21, 2018 22:36
Show Gist options
  • Save anthonygtellez/ad4de33c827480a24ae4358ade6f8b64 to your computer and use it in GitHub Desktop.
Save anthonygtellez/ad4de33c827480a24ae4358ade6f8b64 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
fix_broTA_for_gz.md

Fix for Splunk TA Bro to index gzipped data and have the sourcetype match current log

  • disable input once historical data onboarding is completed.
  • required on UF, HF, IDX, SH

Inputs.conf

[monitor:///usr/local/bro/logs/*/*.log.gz]
sourcetype = brogz
index = bro

Props.conf

[brogz]
SHOULD_LINEMERGE = false
TRUNCATE = 0
MAX_TIMESTAMP_LOOKAHEAD = 20
TIME_FORMAT = %s.%6N
TRANSFORMS-BroAutoTypegz = BroAutoTypegz, TrashComments
INDEXED_EXTRACTIONS = TSV
FIELD_HEADER_REGEX = ^#fields\t(.*)
FIELD_DELIMITER = \t
FIELD_QUOTE = \t

Transforms.conf

[BroAutoTypegz]
DEST_KEY = MetaData:Sourcetype
SOURCE_KEY = MetaData:Source
(?:\/opt\/bro\/logs\/\d{4}-\d{2}-\d{2}\/)([^.]+)(?:\.\d{2}\:\d{2}\:\d{2}\-\d{2}\:\d{2}\:\d{2}.log.gz)
\/([^.]+)
REGEX = ([^.]+)(?:\.\d{2}\:\d{2}\:\d{2}\-\d{2}\:\d{2}\:\d{2}.log.gz)
FORMAT = sourcetype::bro_$1
WRITE_META = true
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment